Technology has been disclosed in the related art (See for example patent document 1.) for speedily evaluating and selecting actions or countermeasures to protect information assets from security breaches. This technology utilizes an action augmentation rate calculating means to find the sum of risk reduction rates for each evaluation item from among an action definition file containing names of potential countermeasures, their risk ratios and evaluation item names linked to a corresponding potential countermeasure name, and applicable data that was entered as countermeasure name data. The sum of the risk reduction ratios for applicable actions matching these evaluation items is found for the first sum and the action augmentation rate is calculated as the ratio of these two sums.
An information management system was also disclosed in the related art, for managing risk management information based on analysis results of the danger of sustaining damage in disasters such as fires (See for example patent document 2.).
Another information management system was disclosed in the related art for entering initial (default) parameters such as the priority of confidential information and the degree of safety of storage locations, and calculating values equivalent to risk values (See for example patent document 3.).                [Patent document 1] JP-A No. 24526/2002        [Patent document 2] US Patent. No. 2003/0160818        [Patent document 3] US Patent No. 2001/0044737        
These types of information management systems were effective in converting the risk of information leaks into numerical values for management. However, these examples of the related art were only able to consider one type of phenomenon as a cause in making risk values fluctuate, and were incapable of managing the risk of information leakage from different causes with just one risk value. These systems of the related art further failed to consider that the value of information fluctuates along with the passage of time and were unable to make correct risk assessments. No administrator was appointed for managing the risk default values, and the system was difficult to operate. The system further did not refer to past risk values.